github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/moby/profiles/seccomp/default_linux.go (about) 1 // +build seccomp 2 3 package seccomp // import "github.com/docker/docker/profiles/seccomp" 4 5 import ( 6 "github.com/opencontainers/runtime-spec/specs-go" 7 "golang.org/x/sys/unix" 8 ) 9 10 func arches() []Architecture { 11 return []Architecture{ 12 { 13 Arch: specs.ArchX86_64, 14 SubArches: []specs.Arch{specs.ArchX86, specs.ArchX32}, 15 }, 16 { 17 Arch: specs.ArchAARCH64, 18 SubArches: []specs.Arch{specs.ArchARM}, 19 }, 20 { 21 Arch: specs.ArchMIPS64, 22 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64N32}, 23 }, 24 { 25 Arch: specs.ArchMIPS64N32, 26 SubArches: []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64}, 27 }, 28 { 29 Arch: specs.ArchMIPSEL64, 30 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64N32}, 31 }, 32 { 33 Arch: specs.ArchMIPSEL64N32, 34 SubArches: []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64}, 35 }, 36 { 37 Arch: specs.ArchS390X, 38 SubArches: []specs.Arch{specs.ArchS390}, 39 }, 40 } 41 } 42 43 // DefaultProfile defines the allowed syscalls for the default seccomp profile. 44 func DefaultProfile() *Seccomp { 45 syscalls := []*Syscall{ 46 { 47 Names: []string{ 48 "accept", 49 "accept4", 50 "access", 51 "adjtimex", 52 "alarm", 53 "bind", 54 "brk", 55 "capget", 56 "capset", 57 "chdir", 58 "chmod", 59 "chown", 60 "chown32", 61 "clock_adjtime", 62 "clock_adjtime64", 63 "clock_getres", 64 "clock_getres_time64", 65 "clock_gettime", 66 "clock_gettime64", 67 "clock_nanosleep", 68 "clock_nanosleep_time64", 69 "close", 70 "connect", 71 "copy_file_range", 72 "creat", 73 "dup", 74 "dup2", 75 "dup3", 76 "epoll_create", 77 "epoll_create1", 78 "epoll_ctl", 79 "epoll_ctl_old", 80 "epoll_pwait", 81 "epoll_wait", 82 "epoll_wait_old", 83 "eventfd", 84 "eventfd2", 85 "execve", 86 "execveat", 87 "exit", 88 "exit_group", 89 "faccessat", 90 "faccessat2", 91 "fadvise64", 92 "fadvise64_64", 93 "fallocate", 94 "fanotify_mark", 95 "fchdir", 96 "fchmod", 97 "fchmodat", 98 "fchown", 99 "fchown32", 100 "fchownat", 101 "fcntl", 102 "fcntl64", 103 "fdatasync", 104 "fgetxattr", 105 "flistxattr", 106 "flock", 107 "fork", 108 "fremovexattr", 109 "fsetxattr", 110 "fstat", 111 "fstat64", 112 "fstatat64", 113 "fstatfs", 114 "fstatfs64", 115 "fsync", 116 "ftruncate", 117 "ftruncate64", 118 "futex", 119 "futex_time64", 120 "futimesat", 121 "getcpu", 122 "getcwd", 123 "getdents", 124 "getdents64", 125 "getegid", 126 "getegid32", 127 "geteuid", 128 "geteuid32", 129 "getgid", 130 "getgid32", 131 "getgroups", 132 "getgroups32", 133 "getitimer", 134 "getpeername", 135 "getpgid", 136 "getpgrp", 137 "getpid", 138 "getppid", 139 "getpriority", 140 "getrandom", 141 "getresgid", 142 "getresgid32", 143 "getresuid", 144 "getresuid32", 145 "getrlimit", 146 "get_robust_list", 147 "getrusage", 148 "getsid", 149 "getsockname", 150 "getsockopt", 151 "get_thread_area", 152 "gettid", 153 "gettimeofday", 154 "getuid", 155 "getuid32", 156 "getxattr", 157 "inotify_add_watch", 158 "inotify_init", 159 "inotify_init1", 160 "inotify_rm_watch", 161 "io_cancel", 162 "ioctl", 163 "io_destroy", 164 "io_getevents", 165 "io_pgetevents", 166 "io_pgetevents_time64", 167 "ioprio_get", 168 "ioprio_set", 169 "io_setup", 170 "io_submit", 171 "io_uring_enter", 172 "io_uring_register", 173 "io_uring_setup", 174 "ipc", 175 "kill", 176 "lchown", 177 "lchown32", 178 "lgetxattr", 179 "link", 180 "linkat", 181 "listen", 182 "listxattr", 183 "llistxattr", 184 "_llseek", 185 "lremovexattr", 186 "lseek", 187 "lsetxattr", 188 "lstat", 189 "lstat64", 190 "madvise", 191 "membarrier", 192 "memfd_create", 193 "mincore", 194 "mkdir", 195 "mkdirat", 196 "mknod", 197 "mknodat", 198 "mlock", 199 "mlock2", 200 "mlockall", 201 "mmap", 202 "mmap2", 203 "mprotect", 204 "mq_getsetattr", 205 "mq_notify", 206 "mq_open", 207 "mq_timedreceive", 208 "mq_timedreceive_time64", 209 "mq_timedsend", 210 "mq_timedsend_time64", 211 "mq_unlink", 212 "mremap", 213 "msgctl", 214 "msgget", 215 "msgrcv", 216 "msgsnd", 217 "msync", 218 "munlock", 219 "munlockall", 220 "munmap", 221 "nanosleep", 222 "newfstatat", 223 "_newselect", 224 "open", 225 "openat", 226 "openat2", 227 "pause", 228 "pidfd_open", 229 "pidfd_send_signal", 230 "pipe", 231 "pipe2", 232 "poll", 233 "ppoll", 234 "ppoll_time64", 235 "prctl", 236 "pread64", 237 "preadv", 238 "preadv2", 239 "prlimit64", 240 "pselect6", 241 "pselect6_time64", 242 "pwrite64", 243 "pwritev", 244 "pwritev2", 245 "read", 246 "readahead", 247 "readlink", 248 "readlinkat", 249 "readv", 250 "recv", 251 "recvfrom", 252 "recvmmsg", 253 "recvmmsg_time64", 254 "recvmsg", 255 "remap_file_pages", 256 "removexattr", 257 "rename", 258 "renameat", 259 "renameat2", 260 "restart_syscall", 261 "rmdir", 262 "rseq", 263 "rt_sigaction", 264 "rt_sigpending", 265 "rt_sigprocmask", 266 "rt_sigqueueinfo", 267 "rt_sigreturn", 268 "rt_sigsuspend", 269 "rt_sigtimedwait", 270 "rt_sigtimedwait_time64", 271 "rt_tgsigqueueinfo", 272 "sched_getaffinity", 273 "sched_getattr", 274 "sched_getparam", 275 "sched_get_priority_max", 276 "sched_get_priority_min", 277 "sched_getscheduler", 278 "sched_rr_get_interval", 279 "sched_rr_get_interval_time64", 280 "sched_setaffinity", 281 "sched_setattr", 282 "sched_setparam", 283 "sched_setscheduler", 284 "sched_yield", 285 "seccomp", 286 "select", 287 "semctl", 288 "semget", 289 "semop", 290 "semtimedop", 291 "semtimedop_time64", 292 "send", 293 "sendfile", 294 "sendfile64", 295 "sendmmsg", 296 "sendmsg", 297 "sendto", 298 "setfsgid", 299 "setfsgid32", 300 "setfsuid", 301 "setfsuid32", 302 "setgid", 303 "setgid32", 304 "setgroups", 305 "setgroups32", 306 "setitimer", 307 "setpgid", 308 "setpriority", 309 "setregid", 310 "setregid32", 311 "setresgid", 312 "setresgid32", 313 "setresuid", 314 "setresuid32", 315 "setreuid", 316 "setreuid32", 317 "setrlimit", 318 "set_robust_list", 319 "setsid", 320 "setsockopt", 321 "set_thread_area", 322 "set_tid_address", 323 "setuid", 324 "setuid32", 325 "setxattr", 326 "shmat", 327 "shmctl", 328 "shmdt", 329 "shmget", 330 "shutdown", 331 "sigaltstack", 332 "signalfd", 333 "signalfd4", 334 "sigprocmask", 335 "sigreturn", 336 "socket", 337 "socketcall", 338 "socketpair", 339 "splice", 340 "stat", 341 "stat64", 342 "statfs", 343 "statfs64", 344 "statx", 345 "symlink", 346 "symlinkat", 347 "sync", 348 "sync_file_range", 349 "syncfs", 350 "sysinfo", 351 "tee", 352 "tgkill", 353 "time", 354 "timer_create", 355 "timer_delete", 356 "timer_getoverrun", 357 "timer_gettime", 358 "timer_gettime64", 359 "timer_settime", 360 "timer_settime64", 361 "timerfd_create", 362 "timerfd_gettime", 363 "timerfd_gettime64", 364 "timerfd_settime", 365 "timerfd_settime64", 366 "times", 367 "tkill", 368 "truncate", 369 "truncate64", 370 "ugetrlimit", 371 "umask", 372 "uname", 373 "unlink", 374 "unlinkat", 375 "utime", 376 "utimensat", 377 "utimensat_time64", 378 "utimes", 379 "vfork", 380 "vmsplice", 381 "wait4", 382 "waitid", 383 "waitpid", 384 "write", 385 "writev", 386 }, 387 Action: specs.ActAllow, 388 Args: []*specs.LinuxSeccompArg{}, 389 }, 390 { 391 Names: []string{"ptrace"}, 392 Action: specs.ActAllow, 393 Includes: Filter{ 394 MinKernel: &KernelVersion{4, 8}, 395 }, 396 }, 397 { 398 Names: []string{"personality"}, 399 Action: specs.ActAllow, 400 Args: []*specs.LinuxSeccompArg{ 401 { 402 Index: 0, 403 Value: 0x0, 404 Op: specs.OpEqualTo, 405 }, 406 }, 407 }, 408 { 409 Names: []string{"personality"}, 410 Action: specs.ActAllow, 411 Args: []*specs.LinuxSeccompArg{ 412 { 413 Index: 0, 414 Value: 0x0008, 415 Op: specs.OpEqualTo, 416 }, 417 }, 418 }, 419 { 420 Names: []string{"personality"}, 421 Action: specs.ActAllow, 422 Args: []*specs.LinuxSeccompArg{ 423 { 424 Index: 0, 425 Value: 0x20000, 426 Op: specs.OpEqualTo, 427 }, 428 }, 429 }, 430 { 431 Names: []string{"personality"}, 432 Action: specs.ActAllow, 433 Args: []*specs.LinuxSeccompArg{ 434 { 435 Index: 0, 436 Value: 0x20008, 437 Op: specs.OpEqualTo, 438 }, 439 }, 440 }, 441 { 442 Names: []string{"personality"}, 443 Action: specs.ActAllow, 444 Args: []*specs.LinuxSeccompArg{ 445 { 446 Index: 0, 447 Value: 0xffffffff, 448 Op: specs.OpEqualTo, 449 }, 450 }, 451 }, 452 { 453 Names: []string{ 454 "sync_file_range2", 455 }, 456 Action: specs.ActAllow, 457 Args: []*specs.LinuxSeccompArg{}, 458 Includes: Filter{ 459 Arches: []string{"ppc64le"}, 460 }, 461 }, 462 { 463 Names: []string{ 464 "arm_fadvise64_64", 465 "arm_sync_file_range", 466 "sync_file_range2", 467 "breakpoint", 468 "cacheflush", 469 "set_tls", 470 }, 471 Action: specs.ActAllow, 472 Args: []*specs.LinuxSeccompArg{}, 473 Includes: Filter{ 474 Arches: []string{"arm", "arm64"}, 475 }, 476 }, 477 { 478 Names: []string{ 479 "arch_prctl", 480 }, 481 Action: specs.ActAllow, 482 Args: []*specs.LinuxSeccompArg{}, 483 Includes: Filter{ 484 Arches: []string{"amd64", "x32"}, 485 }, 486 }, 487 { 488 Names: []string{ 489 "modify_ldt", 490 }, 491 Action: specs.ActAllow, 492 Args: []*specs.LinuxSeccompArg{}, 493 Includes: Filter{ 494 Arches: []string{"amd64", "x32", "x86"}, 495 }, 496 }, 497 { 498 Names: []string{ 499 "s390_pci_mmio_read", 500 "s390_pci_mmio_write", 501 "s390_runtime_instr", 502 }, 503 Action: specs.ActAllow, 504 Args: []*specs.LinuxSeccompArg{}, 505 Includes: Filter{ 506 Arches: []string{"s390", "s390x"}, 507 }, 508 }, 509 { 510 Names: []string{ 511 "open_by_handle_at", 512 }, 513 Action: specs.ActAllow, 514 Args: []*specs.LinuxSeccompArg{}, 515 Includes: Filter{ 516 Caps: []string{"CAP_DAC_READ_SEARCH"}, 517 }, 518 }, 519 { 520 Names: []string{ 521 "bpf", 522 "clone", 523 "fanotify_init", 524 "lookup_dcookie", 525 "mount", 526 "name_to_handle_at", 527 "perf_event_open", 528 "quotactl", 529 "setdomainname", 530 "sethostname", 531 "setns", 532 "syslog", 533 "umount", 534 "umount2", 535 "unshare", 536 }, 537 Action: specs.ActAllow, 538 Args: []*specs.LinuxSeccompArg{}, 539 Includes: Filter{ 540 Caps: []string{"CAP_SYS_ADMIN"}, 541 }, 542 }, 543 { 544 Names: []string{ 545 "clone", 546 }, 547 Action: specs.ActAllow, 548 Args: []*specs.LinuxSeccompArg{ 549 { 550 Index: 0, 551 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 552 ValueTwo: 0, 553 Op: specs.OpMaskedEqual, 554 }, 555 }, 556 Excludes: Filter{ 557 Caps: []string{"CAP_SYS_ADMIN"}, 558 Arches: []string{"s390", "s390x"}, 559 }, 560 }, 561 { 562 Names: []string{ 563 "clone", 564 }, 565 Action: specs.ActAllow, 566 Args: []*specs.LinuxSeccompArg{ 567 { 568 Index: 1, 569 Value: unix.CLONE_NEWNS | unix.CLONE_NEWUTS | unix.CLONE_NEWIPC | unix.CLONE_NEWUSER | unix.CLONE_NEWPID | unix.CLONE_NEWNET | unix.CLONE_NEWCGROUP, 570 ValueTwo: 0, 571 Op: specs.OpMaskedEqual, 572 }, 573 }, 574 Comment: "s390 parameter ordering for clone is different", 575 Includes: Filter{ 576 Arches: []string{"s390", "s390x"}, 577 }, 578 Excludes: Filter{ 579 Caps: []string{"CAP_SYS_ADMIN"}, 580 }, 581 }, 582 { 583 Names: []string{ 584 "reboot", 585 }, 586 Action: specs.ActAllow, 587 Args: []*specs.LinuxSeccompArg{}, 588 Includes: Filter{ 589 Caps: []string{"CAP_SYS_BOOT"}, 590 }, 591 }, 592 { 593 Names: []string{ 594 "chroot", 595 }, 596 Action: specs.ActAllow, 597 Args: []*specs.LinuxSeccompArg{}, 598 Includes: Filter{ 599 Caps: []string{"CAP_SYS_CHROOT"}, 600 }, 601 }, 602 { 603 Names: []string{ 604 "delete_module", 605 "init_module", 606 "finit_module", 607 }, 608 Action: specs.ActAllow, 609 Args: []*specs.LinuxSeccompArg{}, 610 Includes: Filter{ 611 Caps: []string{"CAP_SYS_MODULE"}, 612 }, 613 }, 614 { 615 Names: []string{ 616 "acct", 617 }, 618 Action: specs.ActAllow, 619 Args: []*specs.LinuxSeccompArg{}, 620 Includes: Filter{ 621 Caps: []string{"CAP_SYS_PACCT"}, 622 }, 623 }, 624 { 625 Names: []string{ 626 "kcmp", 627 "pidfd_getfd", 628 "process_vm_readv", 629 "process_vm_writev", 630 "ptrace", 631 }, 632 Action: specs.ActAllow, 633 Args: []*specs.LinuxSeccompArg{}, 634 Includes: Filter{ 635 Caps: []string{"CAP_SYS_PTRACE"}, 636 }, 637 }, 638 { 639 Names: []string{ 640 "iopl", 641 "ioperm", 642 }, 643 Action: specs.ActAllow, 644 Args: []*specs.LinuxSeccompArg{}, 645 Includes: Filter{ 646 Caps: []string{"CAP_SYS_RAWIO"}, 647 }, 648 }, 649 { 650 Names: []string{ 651 "settimeofday", 652 "stime", 653 "clock_settime", 654 }, 655 Action: specs.ActAllow, 656 Args: []*specs.LinuxSeccompArg{}, 657 Includes: Filter{ 658 Caps: []string{"CAP_SYS_TIME"}, 659 }, 660 }, 661 { 662 Names: []string{ 663 "vhangup", 664 }, 665 Action: specs.ActAllow, 666 Args: []*specs.LinuxSeccompArg{}, 667 Includes: Filter{ 668 Caps: []string{"CAP_SYS_TTY_CONFIG"}, 669 }, 670 }, 671 { 672 Names: []string{ 673 "get_mempolicy", 674 "mbind", 675 "set_mempolicy", 676 }, 677 Action: specs.ActAllow, 678 Args: []*specs.LinuxSeccompArg{}, 679 Includes: Filter{ 680 Caps: []string{"CAP_SYS_NICE"}, 681 }, 682 }, 683 { 684 Names: []string{ 685 "syslog", 686 }, 687 Action: specs.ActAllow, 688 Args: []*specs.LinuxSeccompArg{}, 689 Includes: Filter{ 690 Caps: []string{"CAP_SYSLOG"}, 691 }, 692 }, 693 } 694 695 return &Seccomp{ 696 DefaultAction: specs.ActErrno, 697 ArchMap: arches(), 698 Syscalls: syscalls, 699 } 700 }